17170: Merge branch 'master'

[arvados.git] / services / api / test / unit / container_test.rb
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb

index 03e7850a5ab2f4cf31641633916495fac2e54f11..35e2b7ed1d0501d02162e22cd08e3556107b2799 100644 (file)
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -23,6 +23,8 @@ class ContainerTest < ActiveSupport::TestCase
      command: ["echo", "hello"],
      output_path: "test",
      runtime_constraints: {
      command: ["echo", "hello"],
      output_path: "test",
      runtime_constraints: {
+      "API" => false,
+      "keep_cache_ram" => 0,
        "ram" => 12000000000,
        "vcpus" => 4,
      },
        "ram" => 12000000000,
        "vcpus" => 4,
      },
@@ -33,14 +35,18 @@ class ContainerTest < ActiveSupport::TestCase
        "var" => "val",
      },
      secret_mounts: {},
        "var" => "val",
      },
      secret_mounts: {},
+    runtime_user_uuid: "zzzzz-tpzed-xurymjxw79nv3jz",
+    runtime_auth_scopes: ["all"]
    }
  
    }
  
+  def request_only attrs
+    attrs.reject {|k| [:runtime_user_uuid, :runtime_auth_scopes].include? k}
+  end
+
    def minimal_new attrs={}
    def minimal_new attrs={}
-    cr = ContainerRequest.new DEFAULT_ATTRS.merge(attrs)
+    cr = ContainerRequest.new request_only(DEFAULT_ATTRS.merge(attrs))
      cr.state = ContainerRequest::Committed
      cr.state = ContainerRequest::Committed
-    act_as_user users(:active) do
-      cr.save!
-    end
+    cr.save!
      c = Container.find_by_uuid cr.container_uuid
      assert_not_nil c
      return c, cr
      c = Container.find_by_uuid cr.container_uuid
      assert_not_nil c
      return c, cr
@@ -180,7 +186,7 @@ class ContainerTest < ActiveSupport::TestCase
      assert_equal c1.runtime_status, {}
  
      assert_equal Container::Queued, c1.state
      assert_equal c1.runtime_status, {}
  
      assert_equal Container::Queued, c1.state
-    assert_raises ActiveRecord::RecordInvalid do
+    assert_raises ArvadosModel::PermissionDeniedError do
        c1.update_attributes! runtime_status: {'error' => 'Oops!'}
      end
  
        c1.update_attributes! runtime_status: {'error' => 'Oops!'}
      end
  
@@ -220,13 +226,15 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Container serialized hash attributes sorted before save" do
    end
  
    test "Container serialized hash attributes sorted before save" do
+    set_user_from_auth :active
      env = {"C" => "3", "B" => "2", "A" => "1"}
      m = {"F" => {"kind" => "3"}, "E" => {"kind" => "2"}, "D" => {"kind" => "1"}}
      env = {"C" => "3", "B" => "2", "A" => "1"}
      m = {"F" => {"kind" => "3"}, "E" => {"kind" => "2"}, "D" => {"kind" => "1"}}
-    rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1}
+    rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1, "API" => true}
      c, _ = minimal_new(environment: env, mounts: m, runtime_constraints: rc)
      c, _ = minimal_new(environment: env, mounts: m, runtime_constraints: rc)
-    assert_equal c.environment.to_json, Container.deep_sort_hash(env).to_json
-    assert_equal c.mounts.to_json, Container.deep_sort_hash(m).to_json
-    assert_equal c.runtime_constraints.to_json, Container.deep_sort_hash(rc).to_json
+    c.reload
+    assert_equal Container.deep_sort_hash(env).to_json, c.environment.to_json
+    assert_equal Container.deep_sort_hash(m).to_json, c.mounts.to_json
+    assert_equal Container.deep_sort_hash(rc).to_json, c.runtime_constraints.to_json
    end
  
    test 'deep_sort_hash on array of hashes' do
    end
  
    test 'deep_sort_hash on array of hashes' do
@@ -236,6 +244,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "find_reusable method should select higher priority queued container" do
    end
  
    test "find_reusable method should select higher priority queued container" do
+        Rails.configuration.Containers.LogReuseDecisions = true
      set_user_from_auth :active
      common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
      c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
      set_user_from_auth :active
      common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
      c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
@@ -285,13 +294,13 @@ class ContainerTest < ActiveSupport::TestCase
        log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
      }
  
        log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
      }
  
-    cr = ContainerRequest.new common_attrs
+    cr = ContainerRequest.new request_only(common_attrs)
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
      c_output1 = Container.where(uuid: cr.container_uuid).first
  
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
      c_output1 = Container.where(uuid: cr.container_uuid).first
  
-    cr = ContainerRequest.new common_attrs
+    cr = ContainerRequest.new request_only(common_attrs)
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
@@ -312,7 +321,8 @@ class ContainerTest < ActiveSupport::TestCase
      c_output2.update_attributes!({state: Container::Running})
      c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
  
      c_output2.update_attributes!({state: Container::Running})
      c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
  
-    reused = Container.resolve(ContainerRequest.new(common_attrs))
+    set_user_from_auth :active
+    reused = Container.resolve(ContainerRequest.new(request_only(common_attrs)))
      assert_equal c_output1.uuid, reused.uuid
    end
  
      assert_equal c_output1.uuid, reused.uuid
    end
  
@@ -381,9 +391,11 @@ class ContainerTest < ActiveSupport::TestCase
                                                 runtime_status: {'warning' => 'This is not an error'},
                                                 progress: 0.15})
      c_faster_started_second.update_attributes!({state: Container::Locked})
                                                 runtime_status: {'warning' => 'This is not an error'},
                                                 progress: 0.15})
      c_faster_started_second.update_attributes!({state: Container::Locked})
+    assert_equal 0, Container.where("runtime_status->'error' is not null").count
      c_faster_started_second.update_attributes!({state: Container::Running,
                                                  runtime_status: {'error' => 'Something bad happened'},
                                                  progress: 0.2})
      c_faster_started_second.update_attributes!({state: Container::Running,
                                                  runtime_status: {'error' => 'Something bad happened'},
                                                  progress: 0.2})
+    assert_equal 1, Container.where("runtime_status->'error' is not null").count
      reused = Container.find_reusable(common_attrs)
      assert_not_nil reused
      # Selected the non-failing container even if it's the one with less progress done
      reused = Container.find_reusable(common_attrs)
      assert_not_nil reused
      # Selected the non-failing container even if it's the one with less progress done
@@ -502,12 +514,84 @@ class ContainerTest < ActiveSupport::TestCase
  
    test "find_reusable with logging enabled" do
      set_user_from_auth :active
  
    test "find_reusable with logging enabled" do
      set_user_from_auth :active
-    Rails.configuration.log_reuse_decisions = true
+    Rails.configuration.Containers.LogReuseDecisions = true
      Rails.logger.expects(:info).at_least(3)
      Container.find_reusable(REUSABLE_COMMON_ATTRS)
    end
  
      Rails.logger.expects(:info).at_least(3)
      Container.find_reusable(REUSABLE_COMMON_ATTRS)
    end
  
+  def runtime_token_attr tok
+    auth = api_client_authorizations(tok)
+    {runtime_user_uuid: User.find_by_id(auth.user_id).uuid,
+     runtime_auth_scopes: auth.scopes,
+     runtime_token: auth.token}
+  end
+
+  test "find_reusable method with same runtime_token" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:container_runtime_token).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    assert_not_nil reused
+    assert_equal reused.uuid, c1.uuid
+  end
+
+  test "find_reusable method with different runtime_token, same user" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:crt_user).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    assert_not_nil reused
+    assert_equal reused.uuid, c1.uuid
+  end
+
+  test "find_reusable method with nil runtime_token, then runtime_token with same user" do
+    set_user_from_auth :crt_user
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs)
+    assert_equal Container::Queued, c1.state
+    assert_equal users(:container_runtime_token_user).uuid, c1.runtime_user_uuid
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    assert_not_nil reused
+    assert_equal reused.uuid, c1.uuid
+  end
+
+  test "find_reusable method with different runtime_token, different user" do
+    set_user_from_auth :crt_user
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:active).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    # See #14584
+    assert_not_nil reused
+    assert_equal c1.uuid, reused.uuid
+  end
+
+  test "find_reusable method with nil runtime_token, then runtime_token with different user" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: nil}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    # See #14584
+    assert_not_nil reused
+    assert_equal c1.uuid, reused.uuid
+  end
+
+  test "find_reusable method with different runtime_token, different scope, same user" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:runtime_token_limited_scope).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    # See #14584
+    assert_not_nil reused
+    assert_equal c1.uuid, reused.uuid
+  end
+
    test "Container running" do
    test "Container running" do
+    set_user_from_auth :active
      c, _ = minimal_new priority: 1
  
      set_user_from_auth :dispatch1
      c, _ = minimal_new priority: 1
  
      set_user_from_auth :dispatch1
@@ -527,6 +611,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Lock and unlock" do
    end
  
    test "Lock and unlock" do
+    set_user_from_auth :active
      c, cr = minimal_new priority: 0
  
      set_user_from_auth :dispatch1
      c, cr = minimal_new priority: 0
  
      set_user_from_auth :dispatch1
@@ -584,9 +669,58 @@ class ContainerTest < ActiveSupport::TestCase
  
      auth_exp = ApiClientAuthorization.find_by_uuid(auth_uuid_was).expires_at
      assert_operator auth_exp, :<, db_current_time
  
      auth_exp = ApiClientAuthorization.find_by_uuid(auth_uuid_was).expires_at
      assert_operator auth_exp, :<, db_current_time
+
+    assert_nil ApiClientAuthorization.validate(token: ApiClientAuthorization.find_by_uuid(auth_uuid_was).token)
+  end
+
+  test "Exceed maximum lock-unlock cycles" do
+    Rails.configuration.Containers.MaxDispatchAttempts = 3
+
+    set_user_from_auth :active
+    c, cr = minimal_new
+
+    set_user_from_auth :dispatch1
+    assert_equal Container::Queued, c.state
+    assert_equal 0, c.lock_count
+
+    c.lock
+    c.reload
+    assert_equal 1, c.lock_count
+    assert_equal Container::Locked, c.state
+
+    c.unlock
+    c.reload
+    assert_equal 1, c.lock_count
+    assert_equal Container::Queued, c.state
+
+    c.lock
+    c.reload
+    assert_equal 2, c.lock_count
+    assert_equal Container::Locked, c.state
+
+    c.unlock
+    c.reload
+    assert_equal 2, c.lock_count
+    assert_equal Container::Queued, c.state
+
+    c.lock
+    c.reload
+    assert_equal 3, c.lock_count
+    assert_equal Container::Locked, c.state
+
+    c.unlock
+    c.reload
+    assert_equal 3, c.lock_count
+    assert_equal Container::Cancelled, c.state
+
+    assert_raise(ArvadosModel::LockFailedError) do
+      # Cancelled to Locked is not allowed
+      c.lock
+    end
    end
  
    test "Container queued cancel" do
    end
  
    test "Container queued cancel" do
+    set_user_from_auth :active
      c, cr = minimal_new({container_count_max: 1})
      set_user_from_auth :dispatch1
      assert c.update_attributes(state: Container::Cancelled), show_errors(c)
      c, cr = minimal_new({container_count_max: 1})
      set_user_from_auth :dispatch1
      assert c.update_attributes(state: Container::Cancelled), show_errors(c)
@@ -599,7 +733,16 @@ class ContainerTest < ActiveSupport::TestCase
      assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
    end
  
      assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
    end
  
+  test "Containers with no matching request are readable by admin" do
+    uuids = Container.includes('container_requests').where(container_requests: {uuid: nil}).collect(&:uuid)
+    assert_not_empty uuids
+    assert_empty Container.readable_by(users(:active)).where(uuid: uuids)
+    assert_not_empty Container.readable_by(users(:admin)).where(uuid: uuids)
+    assert_equal uuids.count, Container.readable_by(users(:admin)).where(uuid: uuids).count
+  end
+
    test "Container locked cancel" do
    test "Container locked cancel" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
@@ -608,6 +751,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Container locked cancel with log" do
    end
  
    test "Container locked cancel with log" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
@@ -619,6 +763,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Container running cancel" do
    end
  
    test "Container running cancel" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -640,7 +785,55 @@ class ContainerTest < ActiveSupport::TestCase
      end
    end
  
      end
    end
  
+  [
+    [Container::Queued, {state: Container::Locked}],
+    [Container::Queued, {state: Container::Running}],
+    [Container::Queued, {state: Container::Complete}],
+    [Container::Queued, {state: Container::Cancelled}],
+    [Container::Queued, {priority: 123456789}],
+    [Container::Queued, {runtime_status: {'error' => 'oops'}}],
+    [Container::Queued, {cwd: '/'}],
+    [Container::Locked, {state: Container::Running}],
+    [Container::Locked, {state: Container::Queued}],
+    [Container::Locked, {priority: 123456789}],
+    [Container::Locked, {runtime_status: {'error' => 'oops'}}],
+    [Container::Locked, {cwd: '/'}],
+    [Container::Running, {state: Container::Complete}],
+    [Container::Running, {state: Container::Cancelled}],
+    [Container::Running, {priority: 123456789}],
+    [Container::Running, {runtime_status: {'error' => 'oops'}}],
+    [Container::Running, {cwd: '/'}],
+    [Container::Running, {gateway_address: "172.16.0.1:12345"}],
+    [Container::Running, {interactive_session_started: true}],
+    [Container::Complete, {state: Container::Cancelled}],
+    [Container::Complete, {priority: 123456789}],
+    [Container::Complete, {runtime_status: {'error' => 'oops'}}],
+    [Container::Complete, {cwd: '/'}],
+    [Container::Cancelled, {cwd: '/'}],
+  ].each do |start_state, updates|
+    test "Container update #{updates.inspect} when #{start_state} forbidden for non-admin" do
+      set_user_from_auth :active
+      c, _ = minimal_new
+      if start_state != Container::Queued
+        set_user_from_auth :dispatch1
+        c.lock
+        if start_state != Container::Locked
+          c.update_attributes! state: Container::Running
+          if start_state != Container::Running
+            c.update_attributes! state: start_state
+          end
+        end
+      end
+      assert_equal c.state, start_state
+      set_user_from_auth :active
+      assert_raises(ArvadosModel::PermissionDeniedError) do
+        c.update_attributes! updates
+      end
+    end
+  end
+
    test "Container only set exit code on complete" do
    test "Container only set exit code on complete" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -653,6 +846,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "locked_by_uuid can update log when locked/running, and output when running" do
    end
  
    test "locked_by_uuid can update log when locked/running, and output when running" do
+    set_user_from_auth :active
      logcoll = collections(:real_log_collection)
      c, cr1 = minimal_new
      cr2 = ContainerRequest.new(DEFAULT_ATTRS)
      logcoll = collections(:real_log_collection)
      c, cr1 = minimal_new
      cr2 = ContainerRequest.new(DEFAULT_ATTRS)
@@ -694,28 +888,51 @@ class ContainerTest < ActiveSupport::TestCase
      cr2.reload
      assert_equal cr1log_uuid, cr1.log_uuid
      assert_equal cr2log_uuid, cr2.log_uuid
      cr2.reload
      assert_equal cr1log_uuid, cr1.log_uuid
      assert_equal cr2log_uuid, cr2.log_uuid
-    assert_equal [logpdh_time2], Collection.where(uuid: [cr1log_uuid, cr2log_uuid]).to_a.collect(&:portable_data_hash).uniq
+    assert_equal 1, Collection.where(uuid: [cr1log_uuid, cr2log_uuid]).to_a.collect(&:portable_data_hash).uniq.length
+    assert_equal ". acbd18db4cc2f85cedef654fccc4a4d8+3 cdd549ae79fe6640fa3d5c6261d8303c+195 0:3:foo.txt 3:195:zzzzz-8i9sb-0vsrcqi7whchuil.log.txt
+./log\\040for\\040container\\040#{cr1.container_uuid} acbd18db4cc2f85cedef654fccc4a4d8+3 cdd549ae79fe6640fa3d5c6261d8303c+195 0:3:foo.txt 3:195:zzzzz-8i9sb-0vsrcqi7whchuil.log.txt
+", Collection.find_by_uuid(cr1log_uuid).manifest_text
    end
  
    end
  
-  test "auth_uuid can set output, progress on running container -- but not state, log" do
-    c, _ = minimal_new
-    set_user_from_auth :dispatch1
-    c.lock
-    c.update_attributes! state: Container::Running
-
-    auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
-    Thread.current[:api_client_authorization] = auth
-    Thread.current[:api_client] = auth.api_client
-    Thread.current[:token] = auth.token
-    Thread.current[:user] = auth.user
+  ["auth_uuid", "runtime_token"].each do |tok|
+    test "#{tok} can set output, progress, runtime_status, state on running container -- but not log" do
+      if tok == "runtime_token"
+        set_user_from_auth :spectator
+        c, _ = minimal_new(container_image: "9ae44d5792468c58bcf85ce7353c7027+124",
+                           runtime_token: api_client_authorizations(:active).token)
+      else
+        set_user_from_auth :active
+        c, _ = minimal_new
+      end
+      set_user_from_auth :dispatch1
+      c.lock
+      c.update_attributes! state: Container::Running
+
+      if tok == "runtime_token"
+        auth = ApiClientAuthorization.validate(token: c.runtime_token)
+        Thread.current[:api_client_authorization] = auth
+        Thread.current[:api_client] = auth.api_client
+        Thread.current[:token] = auth.token
+        Thread.current[:user] = auth.user
+      else
+        auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
+        Thread.current[:api_client_authorization] = auth
+        Thread.current[:api_client] = auth.api_client
+        Thread.current[:token] = auth.token
+        Thread.current[:user] = auth.user
+      end
  
  
-    assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
-    assert c.update_attributes(progress: 0.5)
-    refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
-    refute c.update_attributes(state: Container::Complete)
+      assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
+      assert c.update_attributes(runtime_status: {'warning' => 'something happened'})
+      assert c.update_attributes(progress: 0.5)
+      refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
+      c.reload
+      assert c.update_attributes(state: Container::Complete, exit_code: 0)
+    end
    end
  
    test "not allowed to set output that is not readable by current user" do
    end
  
    test "not allowed to set output that is not readable by current user" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -730,16 +947,20 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "other token cannot set output on running container" do
    end
  
    test "other token cannot set output on running container" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c.update_attributes! state: Container::Running
  
      set_user_from_auth :running_to_be_deleted_container_auth
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c.update_attributes! state: Container::Running
  
      set_user_from_auth :running_to_be_deleted_container_auth
-    refute c.update_attributes(output: collections(:foo_file).portable_data_hash)
+    assert_raises(ArvadosModel::PermissionDeniedError) do
+      c.update_attributes(output: collections(:foo_file).portable_data_hash)
+    end
    end
  
    test "can set trashed output on running container" do
    end
  
    test "can set trashed output on running container" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -753,6 +974,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "not allowed to set trashed output that is not readable by current user" do
    end
  
    test "not allowed to set trashed output that is not readable by current user" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -768,24 +990,37 @@ class ContainerTest < ActiveSupport::TestCase
      end
    end
  
      end
    end
  
+  test "user cannot delete" do
+    set_user_from_auth :active
+    c, _ = minimal_new
+    assert_raises ArvadosModel::PermissionDeniedError do
+      c.destroy
+    end
+    assert Container.find_by_uuid(c.uuid)
+  end
+
    [
      {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
      {state: Container::Cancelled},
    ].each do |final_attrs|
    [
      {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
      {state: Container::Cancelled},
    ].each do |final_attrs|
-    test "secret_mounts is null after container is #{final_attrs[:state]}" do
+    test "secret_mounts and runtime_token are null after container is #{final_attrs[:state]}" do
+      set_user_from_auth :active
        c, cr = minimal_new(secret_mounts: {'/secret' => {'kind' => 'text', 'content' => 'foo'}},
        c, cr = minimal_new(secret_mounts: {'/secret' => {'kind' => 'text', 'content' => 'foo'}},
-                          container_count_max: 1)
+                          container_count_max: 1, runtime_token: api_client_authorizations(:active).token)
        set_user_from_auth :dispatch1
        c.lock
        c.update_attributes!(state: Container::Running)
        c.reload
        assert c.secret_mounts.has_key?('/secret')
        set_user_from_auth :dispatch1
        c.lock
        c.update_attributes!(state: Container::Running)
        c.reload
        assert c.secret_mounts.has_key?('/secret')
+      assert_equal api_client_authorizations(:active).token, c.runtime_token
  
        c.update_attributes!(final_attrs)
        c.reload
        assert_equal({}, c.secret_mounts)
  
        c.update_attributes!(final_attrs)
        c.reload
        assert_equal({}, c.secret_mounts)
+      assert_nil c.runtime_token
        cr.reload
        assert_equal({}, cr.secret_mounts)
        cr.reload
        assert_equal({}, cr.secret_mounts)
+      assert_nil cr.runtime_token
        assert_no_secrets_logged
      end
    end
        assert_no_secrets_logged
      end
    end